issue #2355 enforce ui context for API key management

...and improve profile JS. Replaces can_manage_api_key() with connected_with_pwg_ui() to ensure API key management is only allowed from UI logins, and sets 'connected_with' in session during auto-login. Refactors profile.js to respect canUpdatePreferences and canUpdatePassword, moves user state initialization to template, and improves preference reset/default logic. Also adjusts script loading and minor UI details in profile.tpl.
2026-03-28 17:42:57 +01:00 · 2025-07-07 08:58:27 +02:00
parent 5e2251dff8
commit eec9a919a5
4 changed files with 112 additions and 87 deletions
--- a/include/functions_user.inc.php
+++ b/include/functions_user.inc.php
@@ -1127,6 +1127,12 @@ function auto_login()
      $key = calculate_auto_login_key( $cookie[0], $cookie[1], $username );
      if ($key!==false and $key===$cookie[2])
      {
+        // Since Piwigo 16, 'connected_with' in the session defines the authentication context (UI, API, etc).
+        // Auto-login via remember-me may miss this, so we set it to 'pwg_ui' for UI logins (not API).
+        if (script_basename() != 'ws')
+        {
+          $_SESSION['connected_with'] = 'pwg_ui';
+        }
        log_user($cookie[0], true);
        trigger_notify('login_success', stripslashes($username));
        return true;
@@ -2633,4 +2639,20 @@ SELECT

  return $api_keys;
 }
+
+/**
+ * Is connected with pwg_ui (identification.php)
+ *
+ * @since 16
+ * @return bool
+ */
+function connected_with_pwg_ui()
+{
+  // You can manage your api key only if you are connected via identification.php
+  if (isset($_SESSION['connected_with']) and 'pwg_ui' === $_SESSION['connected_with'])
+  {
+    return true;
+  }
+  return false;
+}
 ?>
--- a/include/ws_functions/pwg.users.php
+++ b/include/ws_functions/pwg.users.php
@@ -962,7 +962,7 @@ function ws_create_api_key($params, &$service)
 {
  global $user, $logger;

-  if (is_a_guest() OR !can_manage_api_key()) return new PwgError(401, 'Acces Denied');
+  if (is_a_guest() OR !connected_with_pwg_ui()) return new PwgError(401, 'Acces Denied');

  if (get_pwg_token() != $params['pwg_token'])
  {
@@ -999,7 +999,7 @@ function ws_revoke_api_key($params, &$service)
 {
  global $user, $logger;

-  if (is_a_guest() OR !can_manage_api_key()) return new PwgError(401, 'Acces Denied');
+  if (is_a_guest() OR !connected_with_pwg_ui()) return new PwgError(401, 'Acces Denied');

  if (get_pwg_token() != $params['pwg_token'])
  {
@@ -1038,7 +1038,7 @@ function ws_edit_api_key($params, &$service)
    return new PwgError(401, 'Acces Denied');
  }

-  if (!can_manage_api_key())
+  if (!connected_with_pwg_ui())
  {
    return new PwgError(401, 'Acces Denied');
  }
@@ -1081,7 +1081,7 @@ function ws_get_api_key($params, &$service)
    return new PwgError(401, 'Acces Denied');
  }

-  if (!can_manage_api_key())
+  if (!connected_with_pwg_ui())
  {
    return new PwgError(401, 'Acces Denied');
  }
@@ -1095,14 +1095,4 @@ function ws_get_api_key($params, &$service)

  return $api_keys ?? l10n('No API key found');
 }
-
-function can_manage_api_key()
-{
-  // You can manage your api key only if you are connected via identification.php
-  if (isset($_SESSION['connected_with']) and 'pwg_ui' === $_SESSION['connected_with'])
-  {
-    return true;
-  }
-  return false;
-}
 ?>